Apps aimed at children collect a shocking amount of data

Apps aimed at kids tend to be the worst at invading privacy.

That's one surprising takeaway from the results gathered by computer researchers at Carnegie Mellon University. They just launched PrivacyGrade.org, where every Android app is ranked on how it tracks you.

Apps get a letter grade (A,B,C or D) that depends on two things: How the app tracks you and whether that tracking matches up with your expectations.

So, even apps that hound you for access to your location and contacts get good grades -- if they're upfront about how they track you. With that logic, Facebook(FB) and Instagram get an A.

The worst grades are reserved for popular children's games like My Talking Tom and Fruit Ninja.

My Talking Tom is a game where you raise a virtual cat. The gimmick: You speak to him, and he repeats everything you say. But the app takes your voice recordings, and shares that data with advertisers. And if you connect your phone to a computer, it can delete or modify files on that computer -- for a reason CMU researchers can't yet figure out.

Update: The makers of Talking Tom reject the findings, saying no personal information or recordings are shared with advertisers. And it only has access to connected computers so that users' videos can be saved.

Fruit Ninja is a game of sword-wielding, vegetarian carnage. But the app insists on knowing your precise location, carrier and phone number -- sharing that with advertisers.

Also on the naughty list: The Holy Bible. It surreptitiously grabs your contact list, phone call history, phone number, carrier and tracks your location. Bible for Kids isn't much better: It got a C, because it follows children's movements.

"There is a big gap between people's expectations and reality," said Jason Hong, an associate professor at the computer science school who led the project.

All in all, the team analyzed just over 1 million apps. Nearly 1,000 got the worst rating.

Why are some apps so intrusive? The problem, Hong said, is that app makers piece together computer code like building blocks. And when they want to make money from an app, they insert chunks of computer code that delivers data to advertisers -- without actually reviewing it.

That means app developers often don't even know how intrusive their app is. And it only gets worse when they sign up to receiving income from multiple advertising networks, because that sends user data in all directions.

"Most of these developers are not evil," Hong said. "They're trying to monetize apps, but they don't know what the right thing to do is. There's not a lot of best practices right now."

Hong originally had the idea to review apps four years ago. He was using one of the Motorola Droid phones that Google had donated to the university's computer lab, and he noticed the GPS icon would occasionally pop up -- then disappear.

After carefully digging through his app permissions, he discovered his blackjack card game was tracking where he drove and walked. It didn't make sense, and it didn't seem fair.

Hong set out to scan every Android app, backed with financial help from Google(GOOG), the National Science Foundation, the U.S. Army and Chinese computer security firm NQ Mobile(NQ). The program used to scan the apps were written by two doctorate students, Song Luan and Jialiu Lin (now a Google privacy engineer).

To gauge people's privacy expectations, they surveyed thousands of smartphone users. Then the university team built an algorithm that weighs permissions and expectations.

Hong said he hasn't been able to do the same kind of review of Apple(AAPL) apps, because he doesn't know anyone there. But he's interested.